A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Web-based git clients

SoniEx2
2020-04-18

web-based git clients would be great but CORS keeps getting in the way for some reason? idk how that thing works I just know I can’t get git to work even with no-cors so that’s a problem.

web-based git clients would be useful for:

  • running from master
  • letting the user browse git repos without putting everything through a proxy and wasting server-side bandwidth.
  • among other things

besides we can already do password mining with no-cors thanks to timing side-channels you can just load a bunch of browsers up with malicious JS and let them mine passwords through the completely unsafe form upload API that can be infinitely automated??? who thought this was a good idea. HTML form submission can’t be trivially automated like this because it actually navigates away from the page.

SoniEx2
2020-04-18

here’s what I can tell:

  • CORS exists for IP-based restrictions
  • no, literally. you’re not allowed to use cookies, but you still must respect CORS. there’s no reason for that other than IP-based restrictions
  • we have CGNAT now. we have VPNs now. we have hundreds of ways around those.
  • drop the DRM.
marcosc
2020-04-24

Hey @SoniEx2, I understand your frustration with CORS… we’ve all been there :slight_smile: But it’s there for good reason. Not sure exactly how you are proxying the requests for git (this isn’t the right forum to have this discussion) - but if it’s GIT that is talking HTTP, then it might be worth filing a bug on git project itself to enable CORS when communicating over HTTP? maybe with some kind of switch or config option… just a thought.

SoniEx2
2020-04-24

the only “valid” use-case is network topology stuff, but uh…

arguably you’d want the git client being usable with LAN repos.

besides, more and more corporate stuff is moving into the cloud. really, we don’t need access-control-allow-origin: * to be explicit anymore. we can make it the default. or at least we can make it a platform/extension and make apps that require that extension thus making it a default by a popularity contest.

seriously, in real life this stuff is only used for webfont DRM.